In our previous blogs we’ve looked at the GDPR chain of responsibility when you use Google Analytics and some of the steps you need to take to ensure that you can use Google Analytics and still be GDPR compliant. This time we’re going to examine the impact of GDPR when you use Google Analytics on client specific pages.
Client specific pages are a great way to host content that you want to be available only to either one individual client or a specific group of clients (such as with a membership site, eCommerce accounts functions and private pages) when they are logged onto your website. You may want the content to only be visible to that client(s) or to enable them to download information for their eyes only.
There is no doubt that Google Analytics is a great web analytics tool to help analyse visitor traffic to your website, including those accessing client-specific pages. As Google says, the information it provides helps you “paint a complete picture of your audience and their needs”.
By choosing to use Google Analytics you are opting to include code on pages in your website
to find out more about your website users. Google collects the information, organises and processes it and then makes it available on your account to access. Using the various options/filters/goals you can obtain as simple or as sophisticated information/data that you choose, including data about client specific pages.
That all sounds good so far except that GDPR, in force from 25th May 2018, means that you need consider the implications of using Google Analytics, including for client specific pages :
(1) Is Google Analytics processing personal data?
There is an assumption that Google Analytics is about anonymised or pseudomised data (it’s not but that’s for another day) so is outside the scope of data protection.
However, GDPR is about protecting personal data or data which is personally identifiable, which means data from which you can identify a natural person “directly or indirectly” using “all means reasonably likely to be used”. It’s not just about one source of data either, it’s about whether you can identify someone by putting together all the information which you hold.
You need to examine what information Google collects in relation to client specific data and ask yourself whether a client be identified from that, either by itself, or when combined with other data you hold?
So, for example, if Google has access to personally identifiable information such as user log-in information, IP addresses, emails etc then that is personal information. This is common information held on member pages and member user profiles within the client areas of many web sites.
(2) Are you breaching your agreement with Google?
If Google has access to personally identifiable information you may also have another problem. This is because when you sign up and use Google Analytics you are legally bound by their user agreement(s). Part of that agreement says that you agree that you are “prohibited from sending personally identifiable information to Google Analytics”.
(3) Are you lawfully able to process client/personal data in this way?
You need a lawful basis for processing personal data which could be your need to process data so that you can provide services that clients/users have asked for. However, many businesses rely on the individual user, or in this case client, consent to process data.
This means taking the time to be clear
- about your lawful basis for processing personal data and
- whether the data you are processing is only used for this lawful purpose.
For example, whilst access to client-specific pages may be part of your contractual obligation to provide them with a service - directly marketing to that client is unlikely to fall into the same category so you’ll need the client’s consent to do so.
If you are relying on consent you will need to make sure that you are obtaining GDPR compliant consent meaning that you need to
- let your clients know (providing a clear and sufficient explanation) that you are analysing data in this way AND
- obtain their specific consent to enable you to do this. Relying on a “capture all” consent won’t do. Neither will persuading yourself that you can do this as part of the “service” you offer to clients, unless you can prove that this is the case.